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Abstract 



l/~) , We define new abstract machines for game semantics which correspond 

to networks of conventional computers, and can be used as an intermedi- 
ate representation for compilation targeting distributed systems. This is 
achieved in two steps. First we introduce the HRAM, a Heap and Register 
Abstract Machine, an abstraction of a conventional computer, which can 
l_^ , be structured into HRAM nets, an abstract point-to-point network model. 

lyj ■ HRAMs are multi-threaded and subsume communication by tokens (cf. 

O ' IAM) or jumps. Game Abstract Machines (GAM), are HRAMs with ad- 

ditional structure at the interface level, but no special operational capabil- 
ities. We show that GAMs cannot be naively composed, but composition 
►> ' must be mediated using appropriate HRAM combinators. HRAMs are 

Q\ . flexible enough to allow the representation of game models for languages 

l/~) ■ with state (non-innocent games) or concurrency (non-alternating games). 

We illustrate the potential of this technique by implementing a toy dis- 
tributed compiler for ICA, a higher-order programming language with 
_ju ' shared state concurrency, thus significantly extending our previous dis- 

f ^ , tributed PCF compiler. We show that compilation is sound and memory- 

£/■) ■ safe, i.e. no (distributed or local) garbage collection is necessary. 



1 Introduction 



b 

One of the most profound discoveries in theoretical computer science is the 
fact that logical and computational phenomena can be subsumed by relatively 
simple communication protocols. This understanding came independently from 
Girard's work on the Geometry of Interaction (GOI) [16| and Milner's work on 
process calculi [22[ , and had a profound influence on the subsequent development 
of game semantics (see [12| for a historical survey). Of the three, game semantics 
proved to be particularly effective at producing precise mathematical models for 
a large variety of programming languages, solvinga long-standing open problem 
concerning higher-order sequential computation [1, 19]. 



*An extended abstract of this paper is due to appear in the Twenty-Eighth Annual 
ACM/IEEE Symposium on Logic in Computer Science (LICS 2013), June 25-28, 2013, New 
Orleans, USA. 



One of the most appealing features of game semantics is that it has a dual 
denotational and operational character. By denotational we mean that it is 
compositionally defined on the syntax and by operational we mean that it can 
be effectively presented and can form a basis for compilation |13M. T his feature 
was apparent from the earliest presentations of game semantics [18[ and is not 
very surprising, although the operational aspects are less perspicuous than in in- 
terpretations based on process calculi or GOI, which quickly found applications 



in compiler [21[ or interpreter [2| development and optimisation. 



An important development, which provided essential inspiration for this work, 
was the introduction of the Pointer Abstract Machine (PAM) and the Inter- 
action Abstract Machine (IAM), which sought to fully restore the operational 
intuitions of game semantics |5[ by relating them to two kinds of abstract ma- 
chines, one based on term rewriting (PAM) and one based on networks of au- 
tomata (IAM) profoundly inspired by GOI. A further optimisation of IAM, the 
Jumping Abstract Machine (JAM) was introduced subsequently to avoid the 
overheads of the IAM d. 



Contribution In this paper we are developing the line of work on the PAM, 
IAM, and JAM, in order to define new abstract machines which correspond 
more closely to networks of conventional computers and can be used as an in- 
termediate representation for compilation targeting distributed systems. This 
is achieved in two steps. First we introduce the HRAM, a Heap and Regis- 
ter Abstract Machine, an abstraction of a conventional computer, which can be 
structured into HRAM nets, an abstract point-to-point network model. HRAMs 
are multi-threaded and subsume communication by tokens (cf. IAM) or jumps. 
GAMs, Game Abstract Machines, are HRAMs with additional structure at the 
interface level, but no special operational capabilities. We show that GAMs can- 
not be naively composed, but composition must be mediated using appropriate 
HRAM combinators. Starting from a formulation of game semantics in the nom- 
inal model |9| has two benefits. First, pointer manipulation requires no encoding 
or decoding, as in integer-based representations, but exploits the HRAM ability 
to create locally fresh names. Second, token size is constant as only names are 
passed around; the computational history of a token is stored by the HRAM 
rather than passing it around (cf. IAM). HRAMs are also flexible enough to 
allow the representation of game models for languages with state (non-innocent 
games) or concurrency [non- alternating games). We illustrate the potential of 
this technique by implementing a compiler targeting distributed systems for 



ICA, a higher-order programming language with shared state concurrency 1J] , 
thus significantly extending our previous distributed PCF compiler [8[. We show 
that compilation is sound and memory-safe, i.e. no (distributed or local) garbage 
collection is necessary!^ 



Other related and relevant work The operational intuitions of GOI were 
originally confined to the sequential setting, but more recent work on Ludics 
showed how they can be applied to concurrency [7| through an abstract treat- 
ment not immediately applicable to our needs. Whereas our work takes the 
IAM/ JAM as the starting point, developing abstract machines akin to the PAM 



1 Available from http://veritygos.org/gams 



revealed interesting syntactic and operational connections between game se- 
mantics and Bohm trees [J]. The connection between game semantics, syntactic 
recursion schemes and automata also had several interesting applications to ver- 
ifying higher-order computation (see e.g. [24J). Finally the connection between 
game semantics and operational semantics can be made more directly by elid- 
ing all the semantic structure in the game and reducing them to a very simple 
communication mechanism between a program and its environment, which is 
useful in understanding hostile opponents and verifying security properties [15| . 



2 Simple nets 

In this section we introduce a class of basic abstract machines for manipulating 
heap structures, which also have primitives for communications and control. 
They represent a natural intermediate stage for compilation to machine lan- 
guage, and will be used as such in Sec. 01 The machines can naturally be 
organised into communication networks which give an abstract representation 
of distributed systems. We find it formally convenient to work in a nominal 
model in order to avoid the difficulties caused by concrete encoding of game 
structures, especially justification pointers, as integers. We assume a certain 
familiarity from the reader with basic nominal concepts. The interested reader 
is referred to the literature ([lfj is a starting point). 

2.1 Heap and register abstract machines (HRAM) 

We fix a set of port names (A) and a set of pointer names (P) as disjoint 

sets of atoms. Let L = {O, P} be the set of polarities of a port. To main- 
tain an analogy with game semantics from the beginning, port names corre- 
spond to game-semantic moves and input/output polarities correspond to op- 
ponent/proponent. A port structure is a tuple (I, a) G (Port — L x A. An interface 
A G Vfi n ('Port) is a set of port structures such that all port names are unique, 
i.e. \/p — (l,a),p' — (I', a') G A, if a = a' then p — p'. Let the support of an 

interface be sup(A) = {a | (I, a) G A}, its set of port names. 

The tensor of two interfaces is defined as i® B = A\J B, where sup (A) 
sup(B) = 0. The dual of an interface is defined as A* = {p* p G A} where 
(I, a)* — (I*, a), O* = P and P* = O. An arrow interface is defined in terms of 
tensor and dual, A =$■ B — A* (gi B. 

We introduce notation for opponent ports of an interface A^ — {(0,a) G A}. 
The player ports of an interface A^ is defined analogously. The set of all 
interfaces is denoted by I. We say that two interfaces have the same shape if 
they are equivariant, i.e. there is a permutation -k : A — > A such that {n ■ p \ 

p G A\\ = A2, and we write 7r h A\ —a A2, where 7r • (I, a) = (Z,7r(a)) is 
the permutation action of it. We may only write A\ =a A2 if 7r is obvious or 
unimportant. 

Let the set of data V be G 1, pointer names a G P or integers n G Z. Let 



the set of instructions Instr be as below, where i,j, k G N + 1 (which permits 
ignoring results and allocating "null" data). 

• i <— new j, k allocates a new pointer in the heap and populates it with the 
values stored in registers j and k, storing the pointer in register i. 

• i,j 4— get k reads the tuple pointed at by the name in the register k and 
stores it in registers i and j. 

• update i,j writes the value stored in register j to the second component 
of the value pointed to by the name in register i. 

• free i releases the memory pointed to by the name in the register i and 
resets the register. 

• f lip i, j flips the values of registers i and j. 

• i <— set j sets register i to value j. 

Let code fragments C be C ::— Instr; C | if zero N C C spark a | end. The port 
names occurring in the code fragment are sup G C — >■ Vfi n (A), defined in the 
obvious way (only the spark a instruction can contribute names). An if zero i 
instruction will branch according to the value stored in register i. A spark a 
will either jump to a or send a message to a, depending on whether a is a local 
port or not. 

An engine is an interface together with a port map, E = (A, P) G Ix ($up(AS >) - 
C) such that for each code fragment c G cod P and each port name a G sup(c), 
(P, a) G A, meaning that ports that are "sparked" must be output ports of the 
interface A. The set of all engines is £ . 

Engines have threads and shared heap. All threads have a fixed number of 
registers r, which is a global constant. For the language ICA we will need four 
registers, but languages with more kinds of pointers in the game model, e.g. 
control pointers [2fJ, may need and use more registers. 

A thread is a tuple t = (c, d) G T = C x V r : a code fragment and an r-tuple of 
data register values. 

An engine configuration is a tuple k = (i, h) € JC = Vfi n {T) x (P — *■ P x T>): a 
set of threads and a heap that maps pointer names to pairs of pointer names 
and data items. 

A pair consisting of an engine configuration and an engine will be written using 
the notation k : E G K. x £. Define the function initial G £ — > K, X E as 
initial(E) = (0, 0) : E for an engine E. This function pairs the engine up with 
an engine configuration consisting of no threads and an empty heap. 

HRAMs communicate using messages, each consisting of a port name and a 
vector of data items of size r m : m=(i,(J)eM=Ax V Tm . The constant r m 
specifies the size of the messages in the network, and has to fulfil r m < r. For 
a set XCA, define A4x = X x T> Tm , the subset of M whose port names are 
limited to those of X. 

We specify the operational semantics of an engine E = (A, P) as a transition 
relation ^-» — C /Cx ({«}u(Lx M)) x/C. The relation is either labelled with 

E,x 



• — a silent transition — or a polarised message — an observable transition. 
The messages will be constructed simply from the first r m registers of a thread, 
meaning that on certain actions part of the register contents become observable 
in the transition relation. 

To aid readability, we use the following shorthands: 

• n > n' means n > n' (silent transitions). 

E.x e, x 

(aid) . (P,(a,d)) , , . . \ 

• n > n means n — > n (output transitions . 

E,x E, x 

(o.,d)\ , (0,(o,d)) , ,. , 

• n > n means n > n input transitions . 

E,x E,x 

We use the notation d for n-tuples of registers and then di for the (zero-based) 
i-th component of d, and d® = 0. For updating a register, we use d[i := d] = 
(do,- ■ ■ ,di-x,d,di + i,- ■ ■ ,d n -i) and d[0 := d] =d. 

To construct messages from the register contents of a thread, we use the func- 
tions msg gD r -> V rm , which takes the first r m components of its input, and 
regs G V Tm —> T> r , which pads its input with at the end (i.e. regs(d) = 
(d o ,...,d rm -i,0,...))- 

The network connectivity is specified by the function \, which will be described 
in more detail in the next sub-section. For a port name a, x( a ) can be read as 
"the port that a is connected to". The full operational rules for HRAMs are 
given in Fig. 12.11 The interesting rule is that for spark because it depends on 
whether the port where the next computation is "sparked" is local or not. If 
the port is local then spark makes a jump, and if the port is non-local then it 
produces an output token and the current thread of execution is terminated, 
similar to the I AM. 



2.2 HRAM nets 

A well-formed HRAM net S € S is a set of engines, a function over port names 
specifying what ports are connected, and an external interface, S — (E, %, A), 
where E £ £,A £ X, and ^ is a bijection between the net's output and input 
port names. Specifically, \ has to be in sup(A^ ^ A^. ') — >• sup(A^ ® A-^ ), 
where % = ®{A \ (A, P) e E}. 

Fig.[2]shows a diagram of an HRAM net with two HRAMs (interfaces A, A' , two 
ports each), each with two running threads (iz,^) with local registers (di,d'A 
and shared heaps (h,h'). Two of the HRAM ports are connected and two are 
part of the global interface B. 

The function \ gives the net connectivity. It being in sup(A^ (g) A^') — > 

sup(A ( - F ' <8>A-^ ) means that it maps each input port name of the net's interface 
and output port name of the net's engines to either an output port name of the 
net's interface or an input port name of one of its engines. Since it is a bijection, 



((i <- new j, fe; C,d)Ut,h) > ((C, d[i := pi) Ut, ftU{p >->■ (dj,dk)}) if p ^ sup(ft) 

-E.X 



((i, j <- get fc; C, d) lit, hi) {d k i-s- (d,d')}) 



B.X 



((C,d[i:= d][j :=d'])Ut,AU{4 >->(d,d')}) 



((update i,j; C, d) U t, h U {dj 1-+ (d, d')}) 



B.X 



((C,d[i:= d][j :=d'])ut,ftU{di i-^(d,dj)}) 



((free i; C, d) U t, ft U {d* i-S- (d, d')}) ► ((C, d[i := 01) U i, ft) 

E,x 

((flip i,j; C,d) Ut,ft) — 4 ((C,5[t := d,][j := d,]) Ut,ft) 

-B,X 

((i «- set j; C7,d) Ut,ft) ► ((C.dfi := jl) U t, ft) 

E,x 

((ifzero i Ci c 2 ; C,d[i := 0]) U£,ft) ► ((ci,d[l := 0]) U t, ft) 

-E,x 

((ifzero i Ci c 2 ; C,d[« :=n + 1]) U£, ft) ► ((C2,d[i := 01) U t, ft) 

-B.X 

((sparka,d)Ui,ft) ' x ' a '- msg ' ti » > ft ft ) if (O lX (a)) £ v4 

E,x 



((spark a, d) U t, ft) — -»• ((P( X (a)), regs(msg(d)j) U i, ft) if (O, X (a)) G A 

-B.X 



ft ft) -^^> f(P(o), repsfd)) U t, ft) if (O, a) e A 

E,x 



((end, d) U t, ft) > (t, ft) 

-B.X 



Figure 1: Operational semantics of HRAMs 
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Figure 2: Example HRAM net 



e > e 

E,x 



(e : EUe : E,m) -> (e' : £Ue : E,m) 



e > e 



(e : EUe : E, m) -»• (e' : EUe : £, {m} l±) m) 



B,X 



(e : fiUe : B, {m} W m) ->• (e' : EUe : E, m) 
(P,a) 6 A 

. (a, i 



(e : £,{(a,d)}Wm)^^>(e : £,m) 
(0,a) eA 

(a,d)' 



(e : £,m)^^( e : E, {( X (a), d)} tfffl) 



Figure 3: Operational semantics of HRAM nets 

each port name (and thus port) is connected to exactly one other port name, 
so the abstract network model we are using is point-to-point. 

For an engine e = (A,P) 7 we define a singleton net with e as its sole engine as 
singleton(e) — {{e\,x,A'), where A' is an interface such that \ h A =a A' and 
X is given by: 

X(a) = n(a) if a e smjj(A (p) ) 
x(a) = 7r- 1 (a)ifaesMp(A' ( ° ) ) 

A net configuration is a set of tuples of engine configurations and engines and a 
multiset of pending messages: n = (e : S,to) e J\f = Vfi n (ICx8)xM.setfi n (M). 

Define the function initial 6 S — > N as initial(E,x,A) — ({initial(E) \ E G 
-B}, 0), a net configuration with only initial engines and no pending messages. 

The operational semantics of a net S — {E, x, A) is specified as a transition 
relation — — > — C J\f x ({•} U(Lx A^p^))) x A/". The semantics is given 
in the style of the Chemical Abstract Machine (CHAM) Q, where HRAMs 
are "molecules" and the pending messages of the HRAM net is the "solution" . 
HRAM inputs (outputs) are to (from) the set of pending messages. Silent 
transitions of any HRAM are silent transitions of the net. The rules are given 
in Fig. 



2.3 Semantics of HRAM nets 

We define List [A] for a set A to be finite sequences of elements from A, and 
use s::s' for concatenation. A trace for a net [E, x, A) is a finite sequence of 
messages with polarity: s G List[L x M. S up(A)]- Write a G L x M. sup iA) f° r 
single polarised messages. We use the same notational convention as before to 
identify inputs (— *). 

For a trace s — ai'.'.a^'-'- • ■ • ::ct„, define — > to be the following composition of 
relations on net configurations: — ^* — >— ^* • • • — ^, where — >•* is the reflexive 
transitive closure of — >, i.e. any number of silent steps are allowed in between 
those that are observable. 

Write traces a for the set List[L x M. S up{A)]- The denotation \S\ C traces a of 
a net S = (E, x, A) is the set of traces of observable transitions reachable from 
the initial net configuration initial(S) using the transition relation: 

A s 

[S] = {s G traces a \ 3n.initial(S) — > n} 

The denotation of a net includes the empty trace and is prefix-closed by con- 
struction. 

As with interfaces, we are not interested in the actual port names occurring 
in a trace, so we define equivariance for sets of traces. Let Si C traces a x and 
52 C traces a 2 f° r A\,A<± G X. S\ =a 52 if and only if there is a permutation 
7r G A — >• A such that {7r-s | s G Si} = 52, where 7r-e = e and w(s::(l, (a, d))) = 
(tt •«)::(!, (7r(a;),d)). 

Define the deletion operation s— A which removes from a trace all elements 
(I, (x, d)) if x G sup(A) and define the interleaving of sets of traces Si C iraces^ 

and 52 C tracess as Si ® 52 = {s | s G traces a®b A s— B G Si A s— A G 52}. 

Define the composition of the sets of traces Si C traces a^b and 52 C traces b'^c 
with 7r h _B =a -B' as the usual synchronisation and hiding in trace semantics: 

Si; S2 = {s—B J s G traces a®b®c A s— C G Si A 7r • s* B — A G S2} 

(where s* B is s where the messages from B have reversed polarity.) 

Two nets, / = (Ef,Xf,If) and g = (E g ,x g ,Ig) are said to be structurally 
equivalent if they are graph- isomorphic, i.e. 7r • Ef — E gi ir h // =a / g and 

Xg o7r = 7ro X /. 

Theorem 2.1. //Si and S2 are structurally equivalent nets, then [Si] =a [S2]. 
Proof. A straightforward induction on the trace length, in both directions. □ 



2.4 HRAM nets as a category 

In this sub-section we will show that HRAM nets form a symmetric compact- 
closed category. This establishes that our definitions are sensible and that 
HRAM nets are equal up to topological isomorphisms. This result also shows 
that the structure of HRAM nets is very loose. 



The category, called HRAMnet , is defined as follows: 

• Objects are interfaces A e Pfi n (¥ort) identified up to A-cquivalence. 

• A morphism / : A — > B is a well- formed net on the form (E, \, A =>■ B), for 
some E and \- We will identify morphisms that have the same denotation, 
i.e. if [/] =a \g\ then / = g (in the category). 

• The identity morphism for an object A is 

id A ^(®, x ,A^A') 

for an A' such that tt h A =a A' and 

x(o)=tt(o) ifa£sMp(A* (0) ) 

xW^tt-Ho) ifaesMp(A' (0) ). 

Note that A => A' = A* U A'. This means that the identity is pure 
connectivity. 

• Composition of two morphisms / = (Ef ,\f,A => B) : A — >• B and 
g = (E g ,Xg, B' => C) : B' -4 C, such that tt h B = A S', is 

f;g = (E f UE g , X f ig ,A=>C) : A^C 

where 

X/;s(«) = Xf(a) if a G 5 «p(A* (0) ® /j P) ) A X/ (o) g sup(B) 
Xf; g (a) = x fl (o) if o € «ip(C^ (81 4 P) ) A Xfl (o) i sup(B') 
Xf; g (a) = Xg Wx/(a))) if a € S ^(A* (0) ® /J P) ) A X/ (o) £ s«p(B) 
X/ ;9 («) = X/(t _1 (x»(o))) if o e SW p(C(°) (8) /f >) A x s (a) £ sup(B') 

and 

/ 9 = ®{A|(A,P)e£ 9 }. 



Note We identify HRAMs with interfaces of the same shape in the category, 
which means that our objects and morphisms are in reality unions of equivariant 
sets. In defining the operations of our category we use representatives for these 
sets, and require that the representatives are chosen such that their sets of 
port names are disjoint (but same-shaped when the operation calls for it). The 
composition operation may appear to be partial because of this requirement, 
but we can always find equivariant representatives that fulfil it. 

It is possible to find other representations of interfaces that do not rely on 
equivariance. For instance, an interface could simply be two natural numbers 
— the number of input and output ports. Another possibility would be to make 
the tensor the disjoint union operator. Both of these would, however, lead 
to a lot of bureaucracy relating to injection functions to make sure that port 
connections are routed correctly. Our formulation, while seemingly complex, 
leads to very little bureaucracy, and is easy to implement. 



Proposition 2.2. HRAMnet is a category. 

Proof. • Composition is well-defined, i.e. it preserves well-formedness. 

Let / = (E f , Xf,A=> B) : A^B and g = (E g , Xg ,B' => C) : B' ->• C 
be morphisms such that 7r h B =a B' , and their composition f;g — 
(Ef U Eg, x, A => C) : A — > C be as in the definition of composition. To 
prove that this is well-formed, we need to show that 

X e su P ((A =$> C)(°) /} P) ) -4 su P ((A =*> C)( p ) l}^) = 
sup(A* {0) C(°) 4 P) If)) -»• SM p(A* (p) C(°> /} 0) I g 0) ) 

where If g — 0{A | (A, P) G i?/ U Eg), and that it is a bijection. 
We are given that 

Xf G sup(A* (0) B<°> /} P) ) -4 s«p(A* (p) eg) B< p ) l} 0) ) 

Xg e sup(B MO) C«» If>) -4 SW p(£'* (P) ® ^ (P) ^ 4 0) ) 
7r G sup(B) -¥ sup(B') 

are bijections. 

It is relatively easy to see that the domains specified in the clauses of 
the definition of x are mutually disjoint sets and that their union is the 
domain that we are after. 

Since x is defined in clauses each of which defined using either Xf or Xg 
and/or 7r (which arc bijections with disjoint domains and codomains), it is 
enough to show that the set of port names that Xf is applied to in clause 
1 and 4 are disjoint, and similarly for Xg m clause 2 and 3: 

— In clause 4, we have Xg( a ) G sup(B'), and so 7r _1 (x g (a)) G sup(B), 
which is disjoint from sup(A*^ ' l\ ) in clause 1. 

— In clause 3, we have Xf( a ) £ su p(B), and so 7r(x/(a)) G sup(B'), 
which is disjoint from sup(C^ os> Ig ) in clause 2. 

• Composition is associative. 
Let 

f = (E f , X f,A^B) : A^B, 
g=(Eg, X g,B'=>C) : B' -> C, and 
h=(E h , Xh ,C , ^D) : C'^D 

be nets such that 7Ti h B =a -B' and 7T2 h- C =a C . Then we have: 

(/; g);h = (E f UE g UE h , X(f; g );h, A^D) 

and 

/; (g;h) = (E f UE g UE h , Xf . (g . h) , A =► D) 

according to the definition of composition. We need to show that X(f;g);h ~ 
Xf;(g;h), which implies that (f;g); h = /; (g; h). 

10 



We do this by expanding the definitions, simplified using the following 
auxiliary function: 

connect (c, A) (a) = a if a ^ sup(A) 

connect (c, A) (a) — c(a) if a 6 sup(A) 

/; g = (E f U E g ,Xf ig , A^C) and g; h=(E g U E h , Xg -,h, B' => D) where 

Xf;g{a) — connect(x g ° ni,B)(xf(a)) if a e sup(A* ( <S> /} ) 
Xf-,g(a) = connect(xf ° ir^ 1 , B')(x g (a)) if a e sup(C {0) <8>-^ P) ) 
Xg;h(a) = connect(xh ° 7T 2 , C)(x s (a)) if a e sup(B'* <g> i^ p) ) 
Xg;h( a ) = connect(x 9 o tt^ 1 , C')(Xh( )) i: a £ sup{D { -° ) ® /£ } ) 

Now X(f;g);h an d Xf;<g;h) are defined as follows: 

X(/;g);/i(o) = connect(xh o 7T2, C)(x/ ;s (a)) if a e swp(A* (0) ®4^) 
X(/; 3 );/i( a ) = connect(xf ;g ° tt^ 1 , C")(x/i(a)) if a G sup(D {0) ® 4 P) ) 
X/;( 3 ;/i)( a ) = connect(x 9 ;h 7ri,B)(x/(o)) if a G swp(A* (0) <g>I} P) ) 
Xf;(g;h)(a) = connect(xj ° Trf 1 , B')(x g -h(a}) if a £ sup{D {0) ® 1^) 

One way to see that these two bijective functions are equal is to view them 
as case trees, and consider every case. There are 13 such cases to consider, 
out of which three are not possible. 

We show three cases: 

1. If a 6 swp(A* (0) <8>/j P) ), x/(a) £ sup(B), and x/(a) £ sup{C), then 

X(/; 3 );ft(a) 

= connect(xh ° tt 2 , C)(x/ ;s (a)) 
= connect(xh ° tt 2 , C)(x/(a)) 
=X/(a) 



and 



X/;( fl ;fc)(0) 

^ connect (xg-,h ° 7Ti, B)(x/(a)) 

; X/(a) 



and thus equal. 



2. Consider the case where a £ swp(A* ( ' •* ® /i J ), x/( a ) ^ su p(B), 
and x/( a ) G sup(C). This case is not possible, since sup(C) is not a 
subset of the codomain of x/( a ): which is swp(A* ( - ^ ® _B( p ) eg) li '). 
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3. If a G sup(D(°) ®4 P) ), X h(a) 6 sup(C'), ^(^(a)) G sup(C(°) ® 
4 P) ), and XffC^^XfcW)) 6 sup(B'), then 

X(/;g);h(a) 
=connect(xf; g on 2 ; 1 ,C')(xh(a)) 
=Xf;g(^2 l (Xh(a))) 

=connect(xf o n^ 1 , B^ixgi^ 1 (xh(a)))) 
=X/ ("T 1 (x<? 0-T 1 (Xfc (a))))) 
and 

X/;(g;/i)(a) 

=connect(xf ° 7rf \ B'){x g -h{a)) 

= connect (x f ° tt i > B')(connect(Xg ° 7rJ , C')(xft,(a))) 

=co7mect(x/o7rf 1 ,B')(x 3 (^ 1 (X/i( a )))) 

=x/(^r 1 (x ff (T 2 " 1 (x^(«))))) 

and thus equal. 
The other cases are done similarly. 

• irf,4 is well-formed. For any interface A, 

id A = (<D,X,A^A') 
for an A' such that ir \- A =4 A' and 

x(o) = tt(o) if oe smp(A* (0) ) 

x (a) = 7T- 1 (a) ifaGs^(A' (0) .) 

according to the definition. 

We need to show that x is a bijection: 

X G sup((A =* A') (0) ) -)■ .swp((A =► A') (P) ) 
= SU p(A* (0) U A' (0) ) -> SU p(A* (P) U A' (P) ) 

This is true since 7r is a bijection in sup(.A) — ^ sttp(A'). 

• id a is an identity. For any morphism / : A — > B we observe that id a] f 
is structurally equivalent to /, so by Theorem 12.11 fid a; /] =a [/]■ 

The case for /; ids is similar. 

□ 

We will now show that HRAMnet is a symmetric monoidal category: 

• The tensor product of two objects A,B, A (£> B has already been de- 
fined. We define the tensor of two morphisms / = (Ef,Xf,A => B),g — 
(E g , Xg , C =► D) as / <g> g = (E f U E g , X f ® X ff , A <g» C =*• B <g> £>). 
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• The unit object is the empty interface, 0. 

• Since A (g> (B <g) C) = Al) B U C = (A ® B) ® C we define the associator 
&a,b.c = idA®B®c with the obvious inverse. 

• Similarly, since ®<g>A = ®\jA = A = A\J([) = A<Z)9, we define the left 
unitor Xa = id a and the right unitor pa = idA- 

• Since A <g) B = A I) B = B U A = B A we define the commutativity 
constraint ja,b — idA®B- 

Proposition 2.3. HHAM.net is a symmetric monoidal category. 

Proof. • The tensor product is well-defined, i.e. for two morphisms /, g, f®g 
is a well- formed net. This is easy to see since / and g are well- formed. 

• The tensor product is a bifunctor: 

— id,A®idB = {$iXi®X2,A®B =*- A' ®B') — idA®B by the definition 

of idA®B- 

— (/;<?) <8>(/i;i) = f®h;g®i by the definition of composition and tensor 
on morphisms. 

• The coherence conditions of the natural isomorphisms are trivial since the 
isomorphisms amount to identities. 

□ 
Next we show that HRAMnet is a compact-closed category: 

• We have already defined the dual A* of an object A. 

• Since =*> (A* A') = 0* U (A* U A') = A =*> A' we can define the unit 
T) A = id A and since A ® A r * => § = (A\J A'*)* I) ® = A* I) A' = A ^ A' 
we can define the counit ea = idA- 

This leads us directly to the following result — what we set out to show: 
Proposition 2.4. HRAMnet is a symmetric compact-closed category. 

The following two theorems can be proved by induction on the trace length, 
and provide a connection between the HRAMnet tensor and composition and 
trace interleaving and composition. 

Theorem 2.5. If f : A — >• B and q : C — > D are morphisms of HRAMnet 

then{f®g\ = {f\®{g\. 

Theorem 2.6. If f : A — >• B and g : B' —} C are morphisms of HRAMnet 
such that 7T h B = A B' then \f;g\ = [/]; [#]. 

The following result explicates how communicating HRAMs can be combined 
into a single machine, where the intercommunication is done with jumping 
rather than message passing, in a sound way: 
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Theorem 2.7. If E\ = (Ai,Pi) and E 2 = (^.2,^2) are engines and S = 
{{Ei, E 2 },\, A) * s a ne t> then E\ 2 = {A\ ® A 2 , P\ U P2) is an engine, S' = 
({E 12 },x,A) is a net and [S] C [S"J. 

Proof. We show that for any trace s, s e [S 1 ] implies s e [S"J by induction on 
the length of the trace. 

Hypothesis. If s e [SJ and thus initial(S) A ({(ti,fti) : E\, (t 2l h 2 ) : ^2},^) 
for some sets of threads £1 and £21 heaps fti and h 2 , and a multiset of 
messages to, then initial (S") — >• ({(£1 u£~2 Ut p ,/ii U/12) : £12}, w p ) where 
t p is a set of threads and m p is a multiset of messages such that: 

1. each t € t p is on the form £ = (spark a, d) with x( a ) G 3«p(j4i (g> ^2), 
and 

2. to = TO p 1+1 {(x(a), msg(d)) | (spark a, d) G £ p }. 

Intuitively, the net where E\ and -E2 have been combined into one engine 
will not have pending messages (in to) for communications between E\ 
and E 2 , but it can match the behaviour of such messages by threads that 
are just about to spark. 

Base case. Since any net can take zero steps, the case when s — e is trivial. 

Inductive step. If s = s'::a and the hypothesis holds for s', then we have 

initial (S) -^ ({(ti, hi) : Ei,(t 2 ,h 2 ) : E 2 },m) 

^^({(iUi) : E u (t 2 ,ti 2 ) : E 2 },m') 

initial(S') — > ({(£1 Ut 2 Ut p ,hi U h 2 ) '■ Ei 2 },m p ) 

with t p and m! as in the hypothesis. We first show that S' can match the 
silent steps that S performs, by induction on the number of steps, using 
the same induction hypothesis as above: 

Base case. Trivial. 

Inductive step. Assume that we have 

initial(S) ^W ({(£i,/ii) : E u (t 2 ,h 2 ) : E 2 },m) 

initial (S ) — >— >* ({(£1 U £2 U t p ,hi U /12) : -Bi2},m p ) 

Such that the induction hypothesis holds. We need to show that any 
step 

({(ii,/li) : E u {t 2 ,h 2 ) : E 2 },m)^ 
({(t[, h[) : E l7 (t 2 ,ti 2 ) : £ 2 },m') 

can be matched by (any number of) silent steps of the 5" configura- 
tion, such that the induction hypothesis still holds. 

• A thread of S performs a silent step. This is trivial, since the 
threads of the engine configuration of S' includes all threads of 
the configurations of S, and its heap is the union of those of S. 
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• A thread of S does an internal engine send step. Since t\ U t 2 U t p 
includes all threads of the S configuration, and for the port name 
a in question %(a) G A\ U A 2 = Ai ^2, this can be matched by 
the configuration of S" such that the induction hypothesis still 
holds. 

• A thread S does an external engine send. This means that there 
is a thread t G t\ U £2 on the form t = (spark a, d), which after 
the step will be removed, adding the message (x(a), msg(d)) to 
its multiset of messages, i.e. m' = m ttl {(x(a), ms^(d))}. 

If x( a ) G ^-1 U A 2 , then the configuration 5" can take zero steps, 
and thus include t in the set of threads ready to spark. The in- 
duction hypothesis still holds, since m! — mttl{(x(a), msg(d))} = 
m p W {(x(a)i msg(d)) | (spark a^d) G_i p } W {(x(a), msflf(d))} = 
m p ttl {(x(a), msg(d)) \ (spark a, <i) G £ p U {£}}. 
If x(«) G I, then the configuration of S' can match the step of 
S, removing the thread t from also its set of threads. It is easy 
to see that the induction hypothesis holds also in this case. 

• An engine of S receives a message. This means that rn = 
{(a, d)}ttlm' for a message such that the port (0,a) G A\ UA2 = 
A\ ® A<i. Then either (a,d) is in m p or in {(x(a),msg(d)) \ 
(spark a, d) G t p }. If it is the former, Eyi can receive the message 
and start a thread equal to that started in the configuration of 
S. If it is the latter, there is a thread t = (spark x _1 (a)j d ) G t p 
with d — msg(d ) that can first take a send m step, adding it to 
the multiset of pending messages of the configuration of 5", and 
then it can be received as in S. 

Next we show that the a step can be matched: Assume that we have 

initial(S) A->* ({(ti.fci) : E 1 ,{t 2 M) ■ E 2 },m) 
initial(S') ^^* ({(ti(Jt2 l Jt p ,hi(Jh 2 ) : E 12 \,rn p ) 

Such that the induction hypothesis holds. We need to show that for any 
a, a step 

({(ti.fci) : E u (t2,h 2 ) : E 2 },rn)^ ({(*;, h[) : E u (t' 2 ,h' 2 ) : E 2 },m') 

can be matched by the S' configuration, such that the induction hypothesis 
still holds. We have two cases: 

• The configuration of S performs a send step. That is m = {m} ttl ml 
for an m = (a, d) such that (P, a) G A. Since sup(A) is disjoint from 
sup(Ai U A 2 ), the message is also in rn p , so the configuration of 5" 
can match the step. 

• The configuration of S performs a receive step. This case is easy, as 
S and S' have the same interface A. 

□ 
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We define a family of projection HRAM nets Hi,Ax®—®A n '■ j4i ® • • -®A n — > Ai 

by first constructing a family of "sinks" U : A — > I = singleton((A ==> I, P)) 
where 7 = and P(a) = end for each a in its domain and then defining e.g. 

n^A^s : A®B -+A = id A ® ] -B- 



3 Game nets for ICA 

The structure of a HRAMnet token is determined by the number of registers r 
and the message size r m , which are globally fixed. To implement game-semantic 
machines we require four message components: a port name, two pointer names, 
and a data fragment, meaning that r m — 3. We choose r = 4, to get an 
additional register for temporary thread values to work with. From this point 
on, messages in nets and traces will be restricted to this form. 

The message structure is intended to capture the structure of a move when game 
semantics is expressed in the nominal model. The port name is the move, the 
first name is the "point" whereas the second name is the "butt" of a justification 
arrow, and the data is the value of the move. This direct and abstract encoding 
of the justification pointer as names is quite different to that used in PAM and 
in other GOI-based token machines. In PAM the pointer is represented by a 
sequence of integers encoding the hereditary justification of the move, which 
is a snap-shot of the computational causal history of the move, just like in 
GOI-based machines. Such encodings have an immediate negative consequence, 
as tokens can become impractically large in complex computations, especially 
involving recursion. Large tokens entail not only significant communication 
overheads but also the computational overheads of decoding their structure. A 
subtler negative consequence of such an encoding is that it makes supporting 
the semantic structures required to interpret state and concurrency needlessly 
complicated and inefficient. The nominal representation is simple and compact, 
and efficiently exploits local machine memory (heap) in a way that previous 
abstract machines, of a "functional" nature, do not. 

The price that we pay is a failure of compositionality, which we will illustrate 
shortly. The rest of the section will show how compositionality can be restored 
without substantially changing the HRAM framework. If in HRAM nets com- 
positionality is "plug-and-play" , as apparent from its compact-closed structure, 
Game Abstract Machine (GAM) composition must be mediated by a family of 
operators which are themselves HRAMs. 

In this simple motivating example it is assumed that the reader is familiar with 
game semantics, and several of the notions to be introduced formally in the next 
sub-sections are anticipated. We trust that this will be not confusing. 

Let S be a HRAM representing the game semantic model for the successor 
operation S : int —> int. The HRAM net in Fig. 0] represents a (failed) attempt 
to construct an interpretation for the term x : int h S(S(x)) : int in a context 
C[—mt] '■ int- This is the standard way of composing GOI-like machines. 

The labels along the edges of the HRAM net trace a token (a,po,pi,d) sent by 
the context C[— ] in order to evaluate the term. We elide a and d, which are 
irrelevant, to keep the diagram uncluttered. The token is received by S and 
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Figure 4: Non-locality of names in HRAM composition 

propagated to the other S HRAM, this time with tokens (pi,P2)- This trace 
of events (po,Pi)'-'(pi,P2) corresponds to the existence of a justification pointer 
from the second action to the first in the game model. The essential correctness 
invariant for a well-formed trace representing a game-semantic play is that each 
token consists of a known name and a fresh name (if locally created, or unknown 
if externally created). However, the second S machine will respond with (p2,Pa) 
to (pi,p2), leading to a situation where C[— ] receives a token formed from two 
unknown tokens. 

In game semantics, the composition of (po,Pi)'-'-(Pi,P2) with (pi,P2)'-'-(p2,P3) 
should lead to (p ,pi)::(pi,p 3 ), as justification pointers are "extended" so that 
they never point into a move hidden through composition. This is precisely what 
the composition operator, a specialised HRAM, will be designed to achieve. 



3.1 Game abstract machines (GAM) and nets 

Definition 3.1. We define a game interface (cf. arena,) as a tuple 21 = 
(^qstgtjiniajhgi) where 

• A G X is an interface. For game interfaces 21, *8, £ we will write A, B,C 
and so on for their underlying interfaces. 

• The set of ports is partitioned into a subset of question port names qst a 
and one of answer port names ansa, qst a W ansa = sup(^4). 

• The set of initial port names inia is a subset of the O-labelled question 
ports. 

• The enabling relation ha relates question port names to non-initial port 
names such that if a ha a' for port names a G qst a with (I, a) G A and 
a' G sup(A) \ inia. with (l 1 , a') G A, then I ^ I' . 

For notational consistency, write opp^ = sup(A < -°') and prop<% = sup(A ( ~ p '). 
Call the set of all game interfaces 1®. Game interfaces are equivariant, n h 
21 =a 23, if and only if ir h A =a B, {it(a) \ a G qst^} = qst^, {^(a) \ a G 
ini%\ = ini<s and {(7r(a), 7r(a')) | aha a'} = hfg. 

Definition 3.2. For game interfaces (with disjoint sets of port names) 21 and 
*B, we define: 

21 (g> 25 = (A <g> B,qst 2l Uqst< B ,iniaUinif8, ha U h<s) 

21 =>■ *B = (A =>■ i^qst^Uqst^initBjI-a U \-<s U(ini<8 x inigi)). 



17 



A GAM net is a tuple G — (S, 21) £ 5xlg consisting of a net and a game 
interface such that S — (E,x,A), i.e. the interface of the game net is the 
same as that of the game interface. The denotational semantics of a GAM net 

G = (5,21) is just that of the underlying HRAM net: [G] = [5]. 



3.2 Game traces 

To be able to use game semantics as the specification for game nets we define 
the usual legality conditions on traces, following [9(. 

Definition 3.3. The coabstracted and free pointers cp and fp € traces — > 'P(IP) 
are: 

cp(e) = 
cp(s::(Z, (a,p,p', d))) = cp(s) U {p'} 
fp(e) £ 
ip(s::(l, (a,p,p', d)) £ fp(s) U ({p} \ cp( S )) 

The pointers of a trace ptrs(s) = cp(s) U fp(s). 

Definition 3.4. Define enabled^ S traces^ — > T'(swp(A) x P) inductively as 
follows: 

enabled2i(e) = 
enableda(s::(Z, (a,p,p',d))) — enableda(s) U {(a',p') \ a ha a'} 

Definition 3.5. We define the following relations over traces: 

• Write s' < s if and only if there is a trace S\ such that s'::si = s, i.e. s' 
is a prefix of s . 

• Write s' < s if and only if there are traces s±,S2 such that si::s'::s2 = s, 
i.e. s' is a segment of s. 

Definition 3.6. For an arena%[ and a trace s € traces^, we define the following 
legality conditions: 

• s has unique pointers when s'::(/, (a,p,p', a 1 )) < s implies p' fi ptrs(s'). 

• s is correctly labelled when (I, (a,p,p',d)) C s implies a G sup(A'- i - ) ). 

• s is justified when s'::(l,(a,p,p',d)) < s and a ^ inia implies (a,p) S 
enabled2i(s'). 

• s is well-opened when s'::(l, (a,p,p' ,d)) < s implies a £ inia and s' = e. 

• s is strictly scoped when (l,(a,p,p',d))::s' C s with a e ansa implies 
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• s is strictly nested when (l\,(ai,p,p' ,di))"s'"{l%,{a2,p' ,p'' ,d2)):\ 
s"::(l3,(a3,p',p"',d3)) C s implies (I4, (04,]/',— ,04)) C s" for port names 
a\,a% G qst a and 03,04 G ansa. 

• s is alternating when (h, uii)::(l2, 1TI2) C s implies l\ ^ 1%. 

Definition 3.7. We say that a question message a = (I, (a,p,p r , d)) (a G qst a/ ) 
is pending m a trace s — si::a::S2 «/ awd onZj/ i/ i/iere is no answer a' = 
(V , (a',p',p" ,d')) C «2 (a' G ansaj, *.e. i/ie question has not been answered. 

Write Pa for the subset of traces a consisting of the traces that have unique 
pointers, are correctly labelled, justified, strictly scoped and strictly nested. 

For a set of traces P, write P for the subset consisting of only alternating 
traces, and P st (for single-threaded) for the subset consisting of only well-opened 
traces. 

Definition 3.8. If s G traces and X C P, define the hereditarily justified trace 
s \ X, where inductively (s',X') = s \ X: 



e\X^(e,X) 

s::(l,(a,p,p',d)) \ X 4 (*'::(/, (a,p,p',d)),B U {p'}) if p G X' 

s::(l,(a,p,p',d)) \X^(s',B) if p £ X' 

Write s \ X for s' when s \ X = (s',X r ) when it is convenient. 



3.3 Copycat 

The quintessential game-semantic behaviour is that of the copy-cat strategy, as 
it appears in various guises in the representation of all structural morphisms of 
any category of strategies. A copy-cat not only replicates the behaviour of its 
Opponent in terms of moves, but also in terms of justification structures. Be- 
cause of this, the copy-cat strategy needs to be either history-sensitive (stateful) 
or the justification information needs to be carried along with the token. We 
take the former approach, in contrast to IAM and other GOI-inspired machines. 

Consider the identity (or copycat) strategy on com => com, where com is a 
two-move arena (one question, one answer) . A typical play may look as in Fig. [5] 
The full lines represent justification pointers, and the trace (play) is represented 
nominally as 

(r4,Po,Pi)--(r 2 ,Pi,P2)--(r 1 ,p2,P3)::(r 3 ,p 1 ,p4 : )::(d 3 ,p 4 ) ■ ■ ■ 

To preserve the justification structure, a copycat engine only needs to store 
"copycat links" , which are shown as dashed lines in the diagram between ques- 
tion moves. In this instance, for an input on r±, a heap value mapping a freshly 
created P2 (the pointer to 7*2) to pi (the pointer from r±) is added. 

The reason for mapping P2 to p\ becomes clear when the engine later gets an 
input on r± with pointers P2 and p 3 . It can then replicate the move to r 3 , but 
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(comi =► com2 ) — > (corri3 => 001114) 
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Figure 5: A typical play for copycat 

using pi as a justifier. By following the p 2 pointer in the heap it gets p\ so it 
can produce [r^,p\,pi), where P4 is a fresh heap value mapping to pz- When 
receiving an answer, i.e. a d move, the copycat link can be dereferenced and 
then discarded from the heap. 

The following HRAM macro-instructions are useful in defining copy-cat ma- 
chines to, respectively, handle the pointers in an initial question, a non-initial 
question and an answer: 

cci = flip 0,1; 1 ■<— new 0, 3 

ccq = 1 ■<— new 1, 3; 0, 3 <— get 

cca = flip 0, 1; 0, 3 <— getl; free 1 

For game interfaces 21 and 21' such that 7r h 21 =a 21', we define a generalised 
copycat engine as (&c,-n,% = {A => A', P), where: 

P = fe i-> C; sparkqi | q 2 £ ini%> Aqi= ^{q^} 

U {q 2 >-> ccq; sparky | q 2 G {opp % , D qst^,) \ ini^> Aqi = 7r _1 (g 2 )} 
U {a 2 1— > cca; spark ai | a 2 £ opp^, (~l ans%' A ai = 7r~ (02)} 
U {91 h-> ccq; sparky | 91 € oppg, n qst^ A q 2 = 7r(ai)} 
U {a\ h- >■ cca; spark a 2 | ai £ opp a ^ ansa A a 2 — 7r(ai)} 

This copycat engine is parametrised with an initial instruction C, which is run 
when receiving an initial question. The engine for an ordinary copycat, i.e. the 
identity of games, is (Ccci.^.a- By slight abuse of notation, write GB% for the 
singleton copycat game net (sm<7fe£on((£7 CC i j7r: 2i),2l => 7r • 21). 

Following [9|], we define a partial order < over polarities, L, as O < O, O < 
P, P < P and a preorder ^ over traces from Pa to be the least reflexive and 
transitive such that if l\ < l 2 then 

si::(Zi, (ai,pi,2>i, di))::{l 2 , (a 2 ,p 2 ,p 2 , d 2 ))::s 2 

4 s 1 ::{l 2 ,(a 2 ,p 2 ,p 2 ,d 2 ))::(l 1 ,{a 1 ,p 1 ,p' 1 ,d 1 ))::s 2 , 
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where p[ ^ pi. A set of traces S C P a is saturated if and only if, for s, s' E Pa, 
s' =$ s and s E S implies s' E 5. If S* C Pa is a set of traces, let sat(S) be the 
smallest saturated set of traces that contains S. 

The usual definition of the copycat strategy (in the alternating and single- 
threaded setting) as a set of traces is 

st,alt A r j-tsttdlt 1 w / ^ /* [- * / r- /tM 

<%,»' = I s e -Pa4a' I Vs <cvcn s. s [A = AF s \ A } 

Definition 3.9. A set of traces Si is P-closed with respect to a set of traces 
S2 if and only if s' E S\ fl Sj and s = s'::(P, (a,p,p' ', d)) E Si implies s E S2. 

The intuition of P-closure is that if the trace s' is "legal" according to £2, then 
any outputs that can occur after s' in Si are also legal. 

Definition 3.10. We say that a GAM net f implements a set of traces S if 
and only if S C [/] and [/J is P-closed with respect to S. 

This is the form of the statements of correctness for game nets that we want; it 
certifies that the net / can accommodate all traces in S and, furthermore, that 
it only produces legal outputs when given valid inputs. 

The main result of this section establishes the correctness of the GAM for copy- 
cat. 

Theorem 3.11. (£V.a implements cca,7r-a- 

This is a direct corollary of the Lem. 13.1313.1613.171 13.181 and 13.221 given below. 



Lemma 3.12. If ni — (e : E,m) andn\ = (e' : P,m') are net configurations 

( x ) (3;) 

of a net f = (E, x, A), and ni > n\ ((x) E {•}U(Px.A/f SU p( J 4),) then 712 > n' 2 

where n 2 = (e : E, m W {m}) and n' 2 = (e' : E, m! 1+1 {to}) . 

Proof. By cases on (x): 

• If (x) = •, then e : E = {e : E} U e : E , e > e for some (y), 

E,x 

e' : E — {e' : E} U e' : Eq. We have three cases for (y): 

— If (y) = •, then e > e' and m! = to. Then we also have ni = ({e : 

E,x 

P}Ue : 4mUJ{m})^({e' : E} U e' : E ,mW {m}) = n' 2 . 

— If (y) = (P,to'), then e > e' and to' = {m'} U to. Then we also 

E,x 

haven 2 = ({e : P}Ue : P ,toW{to}) -^ ({e' : E}i)e' : E ,{m'}i±] 
rn W {to,}) = n' 2 . 

— If (y) = (0,m'), then e !> e' and to = {to'} 1+) to'. Then we 

e,x 

also have n 2 = ({e : E} U e : Po,{"i'} W to' l±) {to}) -> ({e' : 
E}l)e' : E ,m' l±J {to}) = n 2 . 



If (x) = (P, to'), then e 1 : E = e : E and to = {m'} l±) ?n'. Then we also 

/ 

have n 2 = (e : E, {to'} 1+1 to' l±) {to}) — > (e : P, to' 1+1 {to}) = n 2 . 
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If (x) = (0,to/), where to' = (a,p,p',d) then e' : E = e : E and to' = 



{(x(a), p,p', d)} ttl m. Then we also have n 2 — (e : .E, to tfcl {to}) — -4 
(F~B,{( X (a),p,p',d)} Wto a {to}) = n 2 . 

D 
Lemma 3.13. J// is a net and s a trace, then 

1. s — si::(Z, toi)::(0, m)::s2 G [/] with witness initial(J) —y n implies s' = 
si::(0, ?ri)::(Z, toi)::s2 G J/J wii/i initial (/) — ^ n and 

£. s = Si::(P, m)::(l,mi)::S2 G [/] wii/i witness initial(/) —¥ n implies s' = 
Si'.:(l, mi)::(P, to)::s2 G [/] to£/i initial(J) — >• n. 

A special case of this theorem is that if G = (f, 21) and, for a set of traces 

S C Pa, S* C [G] holds, then sai(S*) C [GJ. 

Proof. 1. s = si::(/, toi)::(0, m)::S2 G [/] means that 

■ M- 7/ j-\ si, ( x \ (I. m i), (s/) (O.m) (2) 82 

initialyj) — y — y n\ V n 2 — >• ^ ^3 — ► — ^ ?i4 

for net configurations rii, 712,^13,714. For clarity, we take (x), (y), (z) to be 
"names" for the silent transitions. We show that there exist n 2 and (y') 
such that 

initial^}) — y — y n\ y y n 2 y 123 — y — y n 

! 1 * 

by induction on the length of — y : 

( 1 * 
• Base case. If — y is the identity relation, then assume 

(2. mi) (O.ro) 

m — — y n 2 y n 3 



Let m — (ei : E,m\), n 2 — (e 2 : E,m2), m = (a,p,p',d), and 
to' = (x{a),p,p' ,d). Then 77,3 = (e 2 : E, {to'} 1+1 TO2) by the definition 



(O.m) 



of—)-. Since (0,a) G I, n\ — ' — y (ei : E, {m'} W mi). Also, since 

rii — : >• ?i2 we have (ei : E, {to'} WTO2) — ' ► "3 by Lemma 13.121 

Composing the relations, we get 

(O.m) (1,1th) 

m y y n.3 

which completes the base case. 
• Inductive step. If — y = y — y such that for any n 3 

(l,mi) (yo) (0,m) , 

m y n 2 y y n 3 

implies that there exist n' 2 and (y' ) with 

(0,m) (I, mi) 1 (y' ) , 

n\ y y n 2 y n* 
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then assume 



(l,mi) (j/o) • (O.m) 
Hi > n 2 > n yo -> n y > n 3 



Let n ya = (e ya : E,m yo ), n y = (e y : E ,m y ), m = (a,p,p',d), and 
m' = (x(a),P,p',d). Then rt 3 = (e y : E, {m'}tilm y ) by the definition 



(0,m) 



of — h Since (O, o) G I, n Vo — ' — >• (e ao : E,{m'} ti) m yo ). Also, 
since n yo — > n y we have (e yo : E, {m'}b)rn yo ) — > n 3 by Lemma [3T2] 
Composing the relations, we get 

(l,mi) (j/o) * (O.m) . = r ,, — . • 

m > n 2 > %(, ► (e yo : E, {m } 1+1 m Wo J -> n 3 

Applying the hypothesis, we finally get 

(0,m) (I,mJ , (j/ ) . 

Tii >■ > n 2 > — > tit, 

which completes the first part of the proof. 
2. s = si::(P, m)::(/, mi)::s2 6 [/] means that 

■ ■+■ ;/ <-\ s. W* (P.™), (a) * C,mi), (*) * *2, 

initialyj) — > — > ri\ 5- n 2 — > > n 3 — > — > rc.4 

for net configurations n\, n 2 , n$, 77,4 and (x),(y),(z) names for the silent 
transitions. We show that there exist (y') and n 2 such that 

mitialys) — > — > n\ > n 2 > > Us — > — > n 

by induction on the length of — > : 

• Base case. If — > is the identity relation, then assume 

(P,m) (I, mi) 

m > n 2 — > n 3 



Let n 2 — (eg : E,m 2 ), n 3 = (e 3 : -E,ra 3 ), TO = (a,p,p',d) Then 
^1 = (e2 : E, {m} \tjm 2 ) by the definition of — h Since (P,a) £ /, 



. (P,m) (!,mi) 



e 3 : E,{m} l±l m 3 ) >■ n 3 . Also, since 77,2 > n 3 we have 

(l,m 1 ) . 

m > (e 3 

tions, we get 



ni — : > (e 3 : E, {to} ttl m 3 ) by Lemma 13.121 Composing the rela 



(l,mi) (P,m) 

n\ > — ' — > n 3 

which completes the base case. 

• Inductive step. If — > =— > > such that for any n^ 

, (P,m) (2/0) (I,mi) 

n 1 > > n 2 > n 3 

implies that there exist n' 2 and (y' ) with 

/ (v'a)* 1 ftmi), (P,™) 

n 1 > n 2 > > ra 3 
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then assume 



(P,ro) • (2/0) (/.mi) 

ni > n m -» n y ► n 2 > n 3 



Let n m = ( e m : E ,m m ), n y = (e y : E,m v ), and m = (a,p,p',d). 
Then ni = (e m : U, {m}l±)m m ) by the definition of — K Since (P,a) E 

/, (ej, : 2?, {to} W m. y ) — ■ — )• n^. Also, since n m — > n y we have 
n\ —¥ (e y : E, {m} l±)m y ) by Lemma 13.121 Composing the relations, 
we get 

. s (P,"i) (yo) (l,mi 



D 



n i ~~ ^ \ e y '■ &■> I 771 / ™ m y) ^ % ^ Tl 2 ► ^3 

Applying the hypothesis, we finally get 

• (Vo) * 1 ihmi) (P,m) 

ni — > > n 2 > > 123 

which completes the proof. 

Lemma 3.14. If s,s' E Pa an d s' =4 s, then 

1. enabled(s) = enabled(s'), 

2. cp(s) = cp(s'), and 

3. fp( S )=f P ( S '). 

Proof. Induction on =^. The base case is trivial. Consider the case where s = 
s\::a,2'-'-ot.i::s2 and s' — si::ai::a2"S2- Let ai — {l,(ai,pi,p'i,di)) and a 2 = 
(l,(a,2,p2,p' 2 ,d 2 )). 

1. Induction on the length of s 2 . In the base case, we have (by associativity 
of U): enabled{si::a2'.'.a\) = enabled(si) U {(a,p 2 ) \ 0,2 l~a a } U {( a >Pi) I 
a>i I — si a} — enabled (s\) U {(a, pi) | a\ h^ a} U {(a,p' 2 ) \ 02 I — sc a }- 

2. Induction on the length of S2 as in 1. 

3. Induction on the length of s 2 . In the base case, we have (since by the def. 
of 4, Pi ^P'2 andp 2 ^Pi)- 

fp(si::a 2 ::ai) = 

/p(si::a 2 ) U ({pi} \ cp{s 1 ::a 2 )) = 

fp(s x ) U ({ P2 } \ cp(ai)) U ({ Pl } \ (cp( Sl ) U {p 2 })) = 

fp(si) U ({p 2 } \ (cp(«i) U {pi})) U ({p x } \ cp(*i)) = 

/p( Sl ) U ({pi} \ cj»(*i)) U ({p 2 } \ (cj»(*i) U {pi})) = 

/p(si::ai) U ({p 2 } \ cp(si::ai)) = 

/p(si::ai::a 2 ) 

D 
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Lemma 3.15. Let S C P^ be a saturated set of traces. If s,s' G S are traces 
such that s' =4 s and s::a G S, then s'v.a G S . 

Proof. Induction on =<;. The base case is trivial. We show the case of a single 
swapping. If s' =4 s, we have s = S1v.a2v.a1v.s2 and s' = Si"ai::a2"S2 for some 
si,S2,ai,«2- Obviously, s'v.a =4 s::a. 

We have to show that if s::a G Pa, then s'v.a G P<&. We have to show that s'v.a 
fulfils the legality conditions imposed by P%: 

• It is easy to see that s'v.a has unique pointers and is correctly labelled. 

• s'v.a is justified since enabled(s) — enabled(s') by Lemma 13.141 

• To see that s'v.a strictly scoped, consider the ("worst") case when 

(l,(a,p,p',d))::s3::a C s'v.a and a G ans% 

(i.e. we pick the segment that goes right up to the end of the trace). We 
consider the different possibilities of the position of this answer message: 

— If (I, (a,p,p\ d)) C si, then let s 4 — (I, (a,p,p', d))v.s' 1 ::aiV.a2.'.S2.'.a C 
s'v.a and S4 = (I, (a,p,p', d))v.s' 1 v.a2V.a\v.S2V.a. We also know that 
P & fp( s i) as s::a G P"2).- Now, since s' 4 =4 S4,, we have fp(si) = fp(s'^) 
by Lemma 13. 141 and thus also p £ fp(s' 4 ). 

— If (l,(a,p,p',d)) = oi2- We know that p fp(s2'.'.a) by sv.a £ P%. 
Since s' G Pg we have p £ fp(ai) and can so conclude that p £ 
fp{a 1 v.s 2 v.a). 

— If (l,(a,p,p',d)) = a\ or (l,(a,p,p',d)) C s 2 , p <£ fp(s 2 v.a) follows 
immediately from s G Pjt- 

— If (/, (a,p,p\ d)) — a, p $_ fp(e) = is trivially true. 

• To see that s'v.a is strictly nested, assume 

(h, (ai,p,p',di))::siv.(l 2 , (a 2 ,p',p", d 2 ))v.S2V.(l 3 , (a 3 ,p' ,p'" ,d 3 )) C s'v.a 

for port names 01,02 G qst% and a 3 G ans®. We have to show that this 
implies (I4,, (04, p" , —,di)) C S2, for a port name a\ G ans^.. We proceed 
by considering the possible positions of the last message in the segment: 

— If (Z3, (as,p' ,p'" ,ds)) C s', then the proof is immediate, by s' G P% 
being strictly nested. 

— If (Z 3 , (a 3 ,p',p'",d 3 )) — a we use the fact that sv.a G Pa is strictly 
nested. We assume that the implication (using the same names) as 
above holds but instead for sv.a, and show that any swappings that 
can have occurred in s' that reorder the ai, a 2l a 4 moves would render 
s' illegal: 

* If 02 was moved before 01, then s' would not be justified. 

* If 04 was moved before 02, then s' would not be justified. 

As the order is preserved, this shows that the swappings must be 
done in a way such that the implication holds for s'v.a. 
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□ 

Lemma 3.16. For any game net f = (S, 21) and trace s € P<&, s G J/J if and 

onlyifVp€fp(s).s rMe[/]. 

Lemma 3.17. af^% C [<£V,2i] . 

Proof. For convenience, let (/, 21 => 21') = (&tt, <&,<&>, Si — t%»' anc ^ *^ 2 = W" 
We show that s £ Si implies s G Sz, by induction on the length of s: 

• Hypothesis. If s has even length, then initial(f) —> ({(0,/i) : -E},0) and 
/i is exactly (nothing more than) a copycat heap for s over 21 =>■ 21'. In 
other words, there are no threads running and no pending messages and 
the heap is precisely specified. 

• Base case. Trivial. 

• Inductive step. At any point in the execution of the configuration of /, an 
O-labelled message can be received, so that case is rather uninteresting. 
Since the trace s is alternating, we consider two messages in each step: 

Assume s = s'::(0, (ai,pi,p[,di))::(P, (a 2 ,p 2 ,p 2 , <fe)) G Si and that s' G 
S2 ■ From the definition of <r we know that a 2 = 774(01)) P2 = 7rp(pi), 
p' 2 = TT P (p 2 ), and rfi = d 2 . 

We are given that initial(f) — > ({(0,/i) : -E},0) as in the hypothesis. 
We have five cases for the port name ai. We show the first three, as the 
others are similar. In each case our single engine will receive a message 
and start a thread: 

— If &i G ini<&> , then (since s is justified) p 2 = p[ and (by the definition 
of n' A ) a 2 — n' k 1 (ai). The engine runs the first clause of the copycat 
definition, and chooses to create the pointer p 2 and then performs a 
send operation. We thus get: 

initial(f) A ({(0, hU{ P ' 2 ^ pi})}, 0) 

It can easily be verified that the hypothesis holds for this new state. 

— If ai G (opp<%, n qst%i) \ iniw , then a 2 = n^ (&i). Since s is justified 
and strictly nested, there is a message (P, {as, Pi, Pi, d^)) C s' that 
is pending. 

By the hypothesis there is a message (O, (ir' A (as), P4,p' 4 ,d4)) C s' 
with h(pi) = P4, which means that the ccq instruction can be run, 
yielding the following: 

»mtfaJ(/)4({(0,fcU{p£,-> J / 1 })} ) 0) 

The hypothesis can easily be verified also in this new state. 

— If ai G opp<%, n answ , then a 2 = 71^ (ai). Since s is justified and 
strictly nested, there is a prefix si::(P, {a^,Pa,Pi, dz)) < s' whose last 
message is a pending question. By the hypothesis si is then on the 
form si = s 2 ::(0,(7r^(a3),7r P (p3),7r P (pi),d 4 )) with h = ti U {pi i-> 
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7rp(pi)}, which means that the cca instruction can be run, yielding 
the following: 

initial(f) A({(0,fe')},0) 

The hypothesis is still true; the a^ question is no longer pending and 
its pointer is removed from the heap (notice that P2 = 7Tp(pi)). 

□ 

Theorem 3.18. If s = si::o::s2 G cca.a' and p <£. S2, then s::p 6 (c%w> where 
0= (O, (a,p,p',d)) andp= (P,(ir A (a),irp(p),ir v (p'),d)) (i.e. the "copy" of o). 

Proof. By induction on =<!. 

• Base case. This means that s = Si::o::S2 G ccj'V 1 But since p <£ S2 and 
by the definition of the alternating copycat, S2 = £■ It is easy to check 
that s::p G cc^ 21 ' an d that it is legal. 

• Inductive step. Assume s =4 s' for an s' G Pa=>2i' such that s'::p € <Ea ; a'- 
By Lemma T3. 151 s::p € cca,a'- 

D 
Definition 3.19. Define the multiset of messages that a net configuration n is 

A CP m) 

ready to immediately send as ready(n) = {(P,to) | 3n'. n — >•* — ■ — > n'}. 

Definition 3.20. If s is a trace, h is a heap, 21 is a game interface, and 7Tp is 
a permutation over P, we say that h is a copycat heap for s over 21 if and only 
if: 

For every pending P-question from 21 in s, i.e. (P, (a,p,p' ,d)) C s (a G qst a/ ), 

Mp') = (w(p / ),0)- 

Lemma 3.21. If s G cc is a trace such that initial((C) — » n, t/ien i/ie following 
holds: 

1. If n — >* n' then ready(n) = ready(n'). 

(P,m) 

2. If n — >* — : — > n , then ready(n) = ready(n') U {(P,m)}. 

As we are only interested in what is observable, the trace s is thus equivalent 
to one where silent steps are only taken in one go by one thread right before 
outputs. 



Proof. 1. For convenience, we give the composition of silent steps a name, 

(x) * 
— -> n . We proceed by ii 

• Base case. Immediate. 

Inductive step. If n — >- 

means that a thread t of the engine in the net takes a step: 



(x) 

n — -> n' . We proceed by induction on the length of (x) 



• Inductive step. If n — > > n' , we analyse the first silent step, which 
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— In the cases where an instruction that does not change or depend 
on the heap is run, the step cannot affect ready (n). 

— In the case where the instruction is in {cci, ccq, exi, exq}, we 
note that the heap is not changed, but merely extended with a 
fresh mapping which can not have appeared earlier in the trace. 

— If the instruction is cca, since the trace s is strictly nested by 
assumption, the input message that this message stems from 
occurs in a position in the trace where it would later be illegal 
to mention the deallocated pointer again. 

2. Immediate. 

□ 

Theorem 3.22. If s G cc st is a trace such that initial ((£7) — > n for an n — 
({(£, h) : E},rn), then there exists a permutation irp over P such that the 
following holds: 

1. The heap h is a copycat heap for s over 21 =$■ 2t'. 

2. The set of messages that n can immediately send, ready(n), is exactly the 
set of messages p such that s = s\::o::S2 and p yL s^ where the form of o 
and p is o — (0,(a,p,p',d)) andp = (P, (frx (a), 7rp(p)>7rp(p')>d)) (i.e. the 
"copy" ofo). 

Proof. Induction on the length of s. The base case is immediate. 

We need to show that if the theorem holds for a trace s, then it also holds 
for s::a. We thus assume that there exists a permutation np such that the 
hypothesis holds for s and that initial(SU) — > n H»*— > n'. 

1. If a = (P, (7TA{a),TTp(p),Ttp(p'),d)) then by (2) there must be a message 
o = (0,(a,p,p',d)) such that s = si"o::S2 and a £ ready{n). Since we 
"chose" 7rp such that p can only be gotten from the thread spawned by 
o, we can proceed by cases as we did Theorem 13.171 to see that the heap 
structure is correct in each case. 

2. • If a — (P, (TTA(a),Jrp(p),Trp(p'),d)) then by (2) there must be a mes- 

sage o = (0,(a,p,p',d)) such that s — si::o::s2 and a G ready{n). 
By Lemma 13.211 ready (n) = ready (n!) U {a}. We can easily verify 
that (2) holds for n' . 

• If a = (O, (a,pi,Pi,d)), then we can proceed as in Theorem 13.171 to 
see that a message p — (P, (^A{a),P2,P2^d)) e ready(n'). We then 
simply construct our extended permutation such that the hypothesis 
holds. 



□ 
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3.4 Composition 

The definition of composition in Hyland-Ong games [19| is eerily similar to our 
definition of trace composition, so we might expect HRAM net composition to 
correspond to it. That is, however, only superficially true: the nominal setting 
that we are using [9j brings to light what happens to the justification pointers 
in composition. 

If A is an interface, s £ traces a and X C sup (A), we define the reindexing 
deletion operator s [ X as follows, where (s 1 , p) — s [ X inductively: 

e [X = (e,id) 
s::(l,(a,p,p',d)) [ X ± (s'::(l, (a,p(p),p',d)),p) iia^X 

s::(l,(a,p,p',d)) { X £ (s'.pU {p' ^ p(p)}) if a e X 

We write s [ X for s' when s [ X = (s', p) in the following definition: 

Definition 3.23. The game composition of the sets of traces S\ C tracesA^s 
and S2 C tracesB'=>c wif/l 7r h _B =a B' is 

Sise Sa = {s I B | s e traces^^s^c A s t C e Si A tt • s* B t A e S 2 } 

Clearly we have Si; S2 7^ Si;© S2 for sets of traces Si and S2, which reinforces 
the practical problem in the beginning of this section. 

Composition is constructed out of three copycat-like behaviours, as sketched in 
Fig. |5] for a typical play at some types A,B and C. As a trace in the nominal 
model, this is: 

( q 6,p0,pl)::{q4,pl,p2)::{q3,p2,p3):: 

(q2,pl,p4)::(ql,p4,p5)::(q5,pl,p6)::(a5,p6):: 

(al,p5)::(a2,p4)::(a3,p3)::(a4,p2)::(a6,pl) 

We see that this almost corresponds to three interleaved copycats as described 
above; between A, B, C and A',B',C. There is, however, a small difference: 
The move qi, if it were to blindly follow the recipe of a copycat, would derefer- 
ence the pointer P4, yielding p^ 1 and so incorrectly make the move 05 justified 
by 03, whereas it really should be justified by qe as in the diagram. This is 
precisely the problem explained at the beginning of this section. 

To make a pointer extension, when the i?-initial move 53 is performed, it should 
map P4 not only to p^, but also to the pointer that p 2 points to, which is p\ 
(the dotted line in the diagram). When the A-initial move q± is performed, it 
has access to both of these pointers that p^ maps to, and can correctly make 
the 55 move by associating it with pointers p\ and a fresh p$. 

Let 21', 03', and £' be game interfaces such that w% h 21 =a 21', ^<s ^23 =& 93', 
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(A =► B) ® (£' =*> C) -»• (A' =*> C") 




Figure 6: Composition from copycat 



7T£ h £ =a £', and 
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Then the game composition operator i^a^.c is: 

^a,s,ff = {{A ^B)® (B 1 ^C)^ {A 1 => C"), PaUF b U P c ). 

Using the game composition operator K we can define GAM-net composition 
using HRAMnet compact closed combinators. Let /:2l=>Q3,g:25=>£be 
GAM-nets. Then their composition is defined as 

J]gam9 = A^AaC/) ® A B (g)); if a ,<B, c )), where 



A A (/ : ^ -»■ B) £ (tm; (« a . <g> /)) : I -+ A* ® B 
A A X (/ : J -► A ® B) = ((ic^ <8> /); (£A <8> ids)) : A 



B. 



Composition is represented diagrammatically as in Fig. [7] Note the comparison 
with the naive composition from Fig. 2) HRAMs / and g are not plugged in di- 
rectly, although the interfaces match. Composition is mediated by the operator 
K, which preserves the locality of freshly generated names, exchanging non-local 
pointer names with local pointer names and storing the mapping between the 
two as copy-cat links, indicated diagrammatically by dotted lines in K. 
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Figure 7: Composing GAMs using the K HRAM 

Theorem 3.24. If f : 21 — >• 23 and g : 23' — >• £ are game nefc swc/i iftai 
7r<8 h 23 =a 58', / implements Sf C P2i=>!B, a "^ 9 implements S g C P<b'=>c, 
tften f\GAM g implements (S 1 /;© 5 fl ). 

Definition 3.25. If s is a trace, h is a heap, 21 is a game interface, and 7rp is 
a permutation over P, we say f/iaf /i is an extended copycat heap /or s over 21 
i/ ana 7 onfo/ i/: 

i. For every pending P -question non-initial in 21 in s, i.e. (P, (a,p,p' , d)) C 
s fa G qst a \ ini a J, /i(p') = (%(?/), 0). 

I?. For every pending P -question initial in 21 in s and iis justifying move, 
i.e. (O, (ai,pi,p, di))::s'::(P,(a 2 ,_p,_P2,d 2 )) C s (a 2 G ini a J, /i(p 2 ) = 
(7fp(p 2 ),7r P (pi)). 

Theorem 3.26. 7/ / : 21 -4 25 and g : 23' -4 £ are game neis smc/i i/iai 
7r<8 h 23 =a 23', / implements Sf C P2i=>«B, and g implements S g C p8'=^e, 
tften (5/;« S 3 ) st - alt C AP [/; GAMff ] = [A^(A A (/) A B ,( 5 ); ffa.a.e)]. 



Proo/. We show that s' G (£/;© 5c 



\st,alt 



implies that there exists a 7rp such 



that tt %£ • tt p • s' G |/; G amj1 = [A/(A A (/) A B ,(gy,K %fBi€ )} = JA A (/)] 
|As/(g)]]; [i^a.s.e]- Recall the definition of game composition: 



A 



<S/;© 5 fl = {s t P | s G traces a®b®c As [ C G 5/ A 7t<b 



*B 



AeS g } 



We proceed by induction on the length of such an s: 

• Hypothesis. There exists an sk such that initial (-Kgi.os.c) — ^ n where 
n = ({(0, h) : E}, 0) and h is exactly (nothing more than) the union of a 
copycat heap for Sk over 21' => 21, a copycat heap for sk over £ =>• £' and 
an extended copycat heap for sjf over 23 => 23'. 



31 



Let 

A 



A 
A 



s f = s[C 

ir<s -s* B [A 

Sf-g = S[B 

SKf = sk—A', B' , C, C' , the part of sk relating to / 
SKg = sk—A, A' , B, C' , the part of sk relating to g 
Sxf-g = sk— A, B, B' , C, the part of sk relating to the whole game net. 

We require that sk fulfils s K * = s/, s K = s g , and SKf, g = 7r<a,£ ' 7r i B ' 
Sf-g. Note that s#-/ ;g is the trace of /;gam 9, by the definition of trace 
composition. 

• Base case. Immediate. 

• Inductive step. Assume s — s'::a and that the hypothesis holds for s' and 
some 7Tp and s' K . We proceed by cases on the a message: 

— If a = (O, (a,p,p' ,d)), we have three cases: 

* If a G sup(A), intuitively this means that we are getting a 
message from outside the K engine, and need to propagate it 
through K to /. We construct sk and 7rp, such that sk — 
s' K ::(0, (7rsa(a),7rp(p),7fp(p / ),d))::a*, by further sub-cases on a 
(7Tp will be determined by steps of the K configuration): 

• a G mi 21 cannot be the case because an initial message in 
A must be justified by an initial (O-message) in C, and so 
must be a P-message. 

• If a G (qst% \ ini%) U ans% 1 this means that s' [ C::a = 
(s'::a) [ C as the message must be justified by a message 
from 21. As / is O-closed s [ C € [A>t(/)]. This trace can be 
stepped to by n' just like how it was done in Theorem 13.171 
We can verify that the parts of the hypothesis not in that 
theorem hold - in particular for this case we have skj — 
s' K f'.:a*, so indeed s K ± = s/ as required. 

* a G sup(B): 

Intuitively this means that g is sending a message to /, which 
has to go through K. We construct sk and 7rp, such that sk — 
s' K ::(0, (o, 7rp(p),7rp(p'), d))::ir<s ■ a*, by further sub-cases on a 
(7Tp will be determined by steps of the K configuration) : 

■ If a G mi<B, there must be a pending P-message from <t 
justifying a in s', i.e. (P,{aQ,Po,7tp(p),do)) C s' and then 
by Definition 13 . 201 /if 7Tp (p) ) = (p, 0) (as 7fp is its own inverse). 
This means that (running the exi instruction) we get: 

/ (0,(Trr S (a),if(p),T7 ¥ (p'),d)) a" 

n !>^> — > 

(mhU{p'^(n r (p'),p)}) : E}^)=n 
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Now 7t<b • a* is a new pending P-question in the trace that is 
initial in 05 ^> *B', but our new heap mapping fulfils clause 
(2) of Definition 13.251 as required. 

• If a G (qstsg \ mirg) U ans<s, this is similar to the 21 case 
(note that the extended copycat only differs from the ordi- 
nary copycat for initial messages). 

* If a G sup(C). 

Intuitively this means that we arc getting a message from outside 
the K engine, and need to propagate it through K to g. We 
construct sk and 7rp, such that: 

sk = s' K ::(0,(ir£(a),Jrp(p),Jr P (p'),d))::a* 

In this case, the code that we will run is just that of GD, so we 
can proceed like in Theorem 13. 171 easily verifying our additional 
assumptions. 

If a = (P, (a,p,p', d)), we have three cases: 

* If a G sup (A), intuitively this means that we get a message from 
/ and need to propagate it through K to the outside. By further 
sub-cases on a, we construct sk and irp, such that: 

sk = s K ::a*::(P,{Trrn(a),Tr v (p),Tr r (p'),d)) 

The pointer permutation irp will be determined by steps of the 
K configuration. 

• If a G ini%, then a must be justified in s' by a pending and 
initial P-question from *B by the definition of 21 => 03 which 
must in turn be justified by a pending and initial O-question 
from C by the definition of 03 => <£. In s' K , we have (since 
S Kf;g = face • kp ■ s' f . g ) 

s' K = si::(0,(a C /,Po,Pe:',rf£'))::s2::(P,(a<B,Ps:',P,d£')) ::s 3 

This means that clause (2) in Definition 13.251 applies, such 
that h(p) = (7rp(p), TTp(po)) and that (running the exq in- 
struction) we get: 

/ a* * (P,(ir a (a),# P (p),# P (p'),d)) 

n — >^ > 

({((D,hU{np(p')^(p',d)}) : E},d>)=n 

Clause (1) of Definition 13.251 applies to these new messages 
and trivially holds. 

• When a G (qst% \ ini%) U ans<n 1 the code that we will run is 
just that of GD, so we can proceed like in Theorem 13. 171 also 
verifying our additional assumptions. 

* If a G sup(B), intuitively this means that / is sending a message 
to g, which has to go through K. 

■ a G inir& cannot be the case for a P-message. 
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• When a G (qstrg \ inirg) U ans<s, the code that we will run is 
just that of (E ', so we can proceed like in Theorem 13. 171 also 
verifying our additional assumptions. 

* If a G sup(C), intuitively this means that we get a message from 
g and need to propagate it through K to the outside. 
■ a G ini<t cannot be the case for a P-message. 

• When a G (qst £ \ in%z) U ansg, the code that we will run is 
just that of <U , so we can proceed like in Theorem 13. 171 also 
verifying our additional assumptions. 

□ 

Lemma 3.27. If f : 21 — > 03 and g : 03' — > €. are game nets such that -k<s l~ 
03 =a 03', / implements Sf C P%^,<s, and g implements S g C P<8'=^e> £/ien 
\[f',GAM g)\ is P-closed with respect to (<S/;g S g ). 

Proof. Similar to Theorems 13.221 and 13.261 Wc identify the set ready (n) with 
"uncopied" messages of a if net configuration n and show that these are legal 
according to the game composition. Then we show by induction that, assuming 
a heap as in Theorem 13.261 the ready (n) set is precisely those messages. □ 

3.5 Diagonal 

For game interfaces 2li, 2I2, 2I3 and permutations tt,j such that Wij h 21, =a 2tj 
for i 7^ j G {1,2,3}, we define the family of diagonal engines as: 

6n 12 ,m 3 M = (Ai => A 2 ® A 3 , P 1 ®P 2 ® P a ) 

where, for i G {2,3}, 

-Pi = {91 l— ^ ccc i; if zero 3 (sparky) (sparky) 

<7i G opp ai n gst ai A q 2 = vri 2 (gi) A g 3 = 7T 13 (gi)} 
U {ai 1— ^ cca; if zero 3 (spark 02) (spark 03) 

«i G opp ai n ans 2[l A a 2 = 7Ti 2 (ai) A a 3 = 7Ti 3 (ai)} 

A = {% *->■ 3 «- set (i - 2); cci; spark gi | q t G mia, A gi = ^(qi)} 
U {gi !->■ ccq; spark gi | q { G (opp a . D gsi a .) \ inigi, A gi = ^^(g,)} 
U {ai !->• cca; spark ai | aj G opp<%. fl ansa, A 01 = 7r^ (a,)}. 

The diagonal is almost identical to the copycat, except that an integer value of 
or 1 is associated, in the heap, with the name of each message arriving on the 
A 2 and A3 interfaces (hence the set statements, to be used for routing back 
messages arriving on A\ using if zero statements). By abuse of notation, we 
also write 5 for the net singleton(6) . 

Lemma 3.28. The 6 net is the diagonal net, i.e. lS- Kl2t - K23j <s.;Ilil = [(EVi.afl- 

Proof. We show that s G [^12,^23! IIil implies s G [(£Vi2.ai,a 2 ] an d the converse 
(the II2 case is analogous), by induction on the trace length. There is a simple 
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relationship between the heap structures of the respective net configurations 

— they have the same structure but the diagonal stores additional integers for 

identifying what "side" a move comes from. □ 



3.6 Fixpoint 

We define a family of GAMs F ix% with interfaces (2li => 2I2) => 2I3 where there 
exist permutations itij such that n^j h 2tj =& 2t, for i =/= j (z {1,2,3}. The 
fixpoint engine is defined as fii Tl2 ,i 13j a = A^ (^12,^13,21)- 

Let fix ni2t n 13 ,m : (21 => 7Ti 2 ■ St) =» 7Ti 3 • 21 be the game-semantic strategy for 
fixpoint in Hyland-Ong games (13 . p. 364]. 

Theorem 3.29. Fix Wl2tWl3t fn implements fix v%2 2l . 

The proof of this is immediate considering the three cases of moves from the 
definition of the game-semantic strategy. It is interesting to note here that we 
"force" a HRAM with interface A\ => A 2 <8> A3 into a GAM with game interface 
(2I3 =>■ 2li) => 2I2, which has underlying interface (A3 =>• Ai) =>■ A 2 . In the 
HRAMnet category, which is symmetric compact-closed, the two interfaces 
are isomorphic (with A\ (g> A 2 ® A3), but as game interfaces they are not. It is 
rather surprising that we can reuse our diagonal GAMs in such brutal fashion: 
in the game interface for fixpoint there is a reversed enabling relation between 
A3 and A\ . The reason why this still leads to legal plays only is because the onus 
of producing the justification pointers in the initial move for A3 lies with the 
Opponent, which cannot exploit the fact that the diagonal is "wired illegally". 
It only sees the fixpoint interface and must play accordingly. It is fair to say 
that that fixpoint interface is more restrictive to the Opponent than the diagonal 
interface, because the diagonal interface allows extra behaviours, e.g. sending 
initial messages in A3, which are no longer legal. 



3.7 Other ICA constants 

A GAM net for an integer literal n can be defined using the following engine 
(whose interface corresponds to the ICA exp type). 

lit n = ({ (0,g),(P, a)}, P), where 
P = {q 1— > flip 0,1; 1 •<— set 0; 2 ^— set n; spark a} 

We see that upon getting an input question on port q, this engine will respond 
with a legal answer containing n as its value (register 2). 

The conditional at type exp can be defined using the following engine, with the 
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convention that {(0,#j), (P,aj)} = exp^. 

if =(exp 1 =>• exp 2 => exp 3 ==> exp 4 ,P), where 

P ={q4 <-> cci; spark q±, 

a\ i-> cca; flip 0, 1; cci; if zero 2 (spark 53) (spark 52), 

02 !->• cca; spark 04, 

03 1— >• cca; spark 04} 

We can also define primitive operations, e.g. + : exp => exp =>■ exp, in a similar 
manner. An interesting engine is that for newvar: 

newvar =((exp 4 <g) (exp 2 => coni3) => exp 4 ) => exp 5 , P) 

P ={<75 H» 3 <— set 0; cci; spark 34, 

qi >-* 0, 2 «- get 0; flip 0,1; 1 «- set 0; spark 01, 
(73 M> flip 0,1; 1 <— new 0, 1; spark g>2, 
ai 1— )■ 0, 3 <— get 0; update 3 2; cca; spark 03, 
04 1— )■ cca; spark 05} 

We see that we store the variable in the second component of the justification 
pointer that justifies (74, so that it can be accessed in subsequent requests. A 
slight problem is that moves in exp 2 will actually not be justified by this pointer 
which we remedy in the q-$ case, by storing a pointer to the pointer with the 
variable as the second component of the justifier of (72, which means that we 
can access and update the variable in ai- 

We can easily extend the HRAMs with new instructions to interpret parallel 
execution and semaphores, but we omit them from the current presentation. 



4 Seamless distributed compilation for ICA 

4.1 The language ICA 

ICA is PCF extended with constants to facilitate local effects. Its ground 
types are expressions and commands (exp, com), with the type of assignable 

variables desugared as var = exp x (exp — > com). Dereferencing and assignment 
are desugared as the first, respectively second, projections from the type of 
assignable variables. The local variable binder is new : (var — > com) — » com. 

ICA also has a type of split binary semaphores sem = com x com, with the 



first and second projections corresponding to set, get, respectively (see [14j for 
the full definition, including the game-semantic model). 

In this section we give a compilation method for ICA into GAM nets. The 
compilation is compositional on the syntax and it uses the constructs of the 
previous section. ICA types are compiled into GAM interfaces which correspond 
to their game-semantic arenas in the obvious way. We will use A, B, ... to refer 
to an ICA type and to the GAM interface. Sec. [3] has already developed all 
the infrastructure needed to interpret the constants of ICA ( Sec. 13.7(1 . including 
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Figure 8: GAM net for application 

fixpoint (Sec. 13.61) . Given an ICA type judgment T h M : A with T a list of 
variable- type assignments Xi : A% % M a term and A a type, a GAM implementing 
it Gm is defined compositionally on the syntax as follows: 



Gv\-MM':A = S 7ri: T T2 x';GAM (Gr\-M:A^B 
GrhXx:A.M:A->-B = J^A(Gr,x:AhM:B) 
G X :A,Thx:A = ^l&A', GDajki 



G 



ri-Af 



:B) 



,GAM 



eval 



A.B 



Where eval a, b = ^b (^a^b,tt) for a suitably chosen port renaming 7r and 
110,4 and ITgi and II02 are HRAMs with signatures Ilgi = (A\ ® A2 => A3, Pi) 
such that they copycat between A3 and A; and ignore -A,^ . The interpretation 
of function application, which is the most complex, is shown diagrammatically 
in Fig. |5J The copycat connections are shown using dashed lines. 

Theorem 4.1. If M is an ICA term, Gm is the GAM implementing it and om 
its game-semantic strategy then Gm implements <jm- 

The correctness of compilation follows directly from the correctness of the indi- 
vidual GAM nets and the correctness of GAM composition ;gam- 



4.2 Prototype implementation 

Following the recipe in the previous section we can produce an implementation 
of any ICA term as a GAM net. GAMs are just special-purpose HRAMs, with 
no special operations. HRAMs, in turn, can easily be implemented on any con- 
ventional computer with the usual store, control and communication facilities. A 
GAM net is also just a special-purpose HRAM net, which is a powerful abstrac- 
tion of communication processes, as it subsumes through the spark instruction 
communication between processes (threads) on the same physical machine or 
located on distinct physical machines and communicating via a point-to-point 
network. We have built a prototype compiler based on GAMs by implement- 
ing them in C, managing processes using standard UNIX threads and physical 
network distribution using MPI 17]o 



2 Download with source code from http://veritygos.org/gams 
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Figure 9: Optimised GAM net for application 

The actual distribution is achieved using light pragma-like code annotations. In 
order to execute a program at node A but delegate one computation to node B 
and another computation to node C we simply annotate an ICA program with 
node names, e.g.: 

{new x. x := {f (x)}@B + {g(x)}@C; !x}@A 

Note that this gives node B, via function /, read- write access to memory location 
x which is located at node A. Accessing non-local resources is possible, albeit 
possibly expensive. 

Several facts make the compilation process quite remarkable: 

• It is seamless (in the sense of [8[), allowing distributed compilation where 
communication is never explicit but always realised through function calls. 

• It is flexible, allowing any syntactic sub-term to be located at any desig- 
nated physical location, with no impact on the semantics of the program. 
The access of non-local resources is always possible, albeit possibly at a 
cost (latency, bandwidth, etc.). 

• It is dynamic, allowing the relocation of GAMs to different physical nodes 
at run time. This can be done with extremely low overhead if the GAM 
heap is empty. 

• It does not require any form of garbage collection, even on local nodes, 
although the language combines (ground) state, higher-order functions 
and concurrency. This is because a pointer associated with a pointer is 
not needed if and only if the question is answered; then it can be safely 
deallocated. 

The current implementation does not perform any optimisations, and the result- 
ing code is inefficient. Looking at the implementation of application in Fig. [8] it 
is quite clear that a message entering the GAM net via port A needs to undergo 
four pointer renamings before reaching the GAM for M. This is the cost we 
pay for compositionality. However, the particular configuration for application 
can be significantly simplified using standard peephole optimisation, and we 
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can reach the much simpler, still correct implementation in Fig. |H1 Here the 
functionality of the two compositions, the diagonal, and the eval GAMs have 
been combined and optimised into a single GAM, requiring only one pointer re- 
naming before reaching M . Other optimisations can be introduced to simplify 
GAM nets, in particular to obviate the need for the use of composition GAMs 
K, for example by showing that composition of first-order closed terms (such 
as those used for most constants) can be done directly. 



5 Conclusions, further work 

In a previous paper we have argued that distributed and heterogeneous pro- 
gramming would benefit from the existence of architecture-agnostic, seamless 
compilation methods for conventional programming languages which can allow 
the programmer to focus on solving algorithmic problems without being over- 
whelmed by the minutiae of driving complex computational systems [8|. In 
loc. cit. we give such a compiler for PCF, based directly on the Geometry 
of Interaction. In this paper we show how Game Semantics can be expressed 
operationally using abstract machines very similar to networked conventional 
computers, a further development of the IAM/JAM game machines. We be- 
lieve any programming language with a semantic model expressed as Hyland- 
Ong-style pointer games |19| can be readily represented using GAMs and then 
compiled to a variety of platforms such as MPI. Even more promising is the 
possible leveraging of more powerful infrastructure for distributed computing 
that can mask much of the complexities of distributed programming, such as 
fault-tolerance [231 ]. 

The compositional nature of the compiler is very important because it gives 
rise to a very general notion of foreign-function interface, expressible both as 
control and as communication, which allows a program to interface with other 
programs, in a syntax- independent way (see [13j for a discussion), opening the 
door to the seamless development of heterogeneous open systems in a distributed 
setting. 

We believe we have established a solid foundational platform on which to build 
realistic seamless distributed compilers. Further work is needed in optimising 
the output of the compiler which is currently, as discussed, inefficient. The 
sources of inefficiency in this compiler are not just the generation of heavy-duty 
plumbing, but also the possibly unwise assignment of computation to nodes, 
requiring excessive network communication. Previous work in game semantics 
for resource usage can be naturally adapted to the operational setting of the 
GAMs and facilitate the automation of optimised task assignment 
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